WHITE PAPER
CIO Study:
Automation Vital to
Address Shorter Lifespans
and Massive Growth of
TLS/SSL Certificates
Without automation, uncontrolled growth coupled with shorter
lifespans will burden teams and increase the risk of certificate
outages and data breaches.
�WHITE PAPE R
Exponential Growth in TLS Certificates
Challenges Organizations
Digital transformation is reshaping our connected world. One of the obvious consequences of this shift is
an unprecedented rise in machines on enterprise networks—all of which need to connect, authenticate and
communicate securely. In our dynamic economy, machines are used in countless ways with lifespans that vary
from years (physical servers and mainframes) to days or even minutes (containers). And every one of these
machines requires a unique identity, governed by a TLS certificate.
But as we modernize for the future, the trend is for certificate lifespans to continue to shorten to match the pace
of continuous development and rapidly evolving threat landscapes. Google has indicated a strong preference for
shorter certificate lifespans that is likely to reduce the validity period from 398 days to 90. And Apple has upped
the ante with a proposal for even shorter 47-day certificate lifespans. Once ratified, these shifts will dramatically
increase the staff hours and budget required to manage a continuously rotating certificate population.
To better understand the need for automation to address the shorter lifespans and the growth in TLS
certificates, Venafi sponsored a study by market research firm Coleman Parkes Research of 1,000 CIOs from
six regions: United States, United Kingdom, France, DACH (Germany, Austria, Switzerland), Benelux (Belgium,
Netherlands, Luxembourg) and Australasia (Australia, New Zealand). The study explores how the growth of
machine identities affect CIOs and their businesses.
Key Finding: 4X Average Number of
TLS Certificates by 2025
CIOs know that their organizations are using a lot of machine identities, such as TLS certificates. And
it’s evident in the Coleman Parkes survey. Across companies of all sizes, the average number of machine
identities per organization at the end of 2021 was nearly 250,000 and was estimated to increase by 42%
per year.
Larger organizations faced even greater challenges. On average, CIOs at organizations with more than
10,000 employees estimated that they had more than 320,000 machine identities in their enterprises at
the start of 2022. If their growth rate stays constant for the next three years, that number will more than
quadruple to around 1.3 million machine identities by 2025.
But it’s also important to note that the impending shorter certificate lifespans will place an increased
burden on security teams to rotate TLS certificates 6-10 times a year instead of once—factoring in extra
time for renewal. So the sheer numbers of certificates are a looming issue, but the frequency of renewals
with them compounds the challenges exponentially.
www.cyberark.com
�WHITE PAPE R
Outage Risk Increases as
Certificates Require More 1.3M
Frequent Renewals
The rapid growth in certificates has created problems that stem
from fragmented approaches to certificate lifecycle management.
The resulting security risks not only threaten organizations
themselves but also their customers, as evidenced in several
publicized attacks.
320,000
Certificate-related outages, typically the first and most obvious
symptom of weak machine identity management, have become
commonplace among enterprises. According to the Coleman 2022 2025
Parkes survey: Average number Average number
of TLS certificates of TLS certificates
• 83% of organizations suffered a certificate-related outage in large expected in large
organizations organizations
during the last 12 months
• 26% of the CIOs whose organizations experienced outages
said these outages impacted business-critical systems.
Given the unrelenting increase in the number of certificates,
organizations face a higher number of 2025 outages with more
risk to their critical systems unless they dramatically change their
approach to managing certificates.
83%
Of the companies that reported certificate-related outages:
• 80% had a minimum of three outages per year
Hit by certificate-related outages in
• 55% had 12 or more outages per year the past 12 months
• 25% had weekly outages (52+) per year
Moreover, an incredible 57% of CIOs said they have experienced
at least one data breach or other security incident related
to compromised certificates within the previous 12 months.
Organizations should expect these negative consequences to
accelerate as the number of machines continue to multiply—and
57%
their potential impact to be incalculable.
Experienced security incidents
involving compromised TLS certificates
www.cyberark.com
�WHITE PAPE R
Poor Management of TLS
Certificates Disrupts Business
64%
Why are organizations experiencing so many negative business
consequences related to undermanaged TLS certificates? A
significant contributing factor is that the majority of organizations
lack an enterprise-wide, holistic certificate lifecycle management
solution to secure certificates across their IT environment—
including physical and virtual data centers or colocation facilities Use fragmented solutions for
and multi-cloud environments. certificate lifecycle management
According to the survey, nearly two thirds (64%) of CIOs reported
opting for a mix of various solutions and processes instead of
employing a comprehensive certificate management solution.
This includes utilizing point solutions from approved certificate
authorities (CAs), public cloud providers, in-house solutions and
manual processes like spreadsheets.
Any insistence on
using manual methods
Automation Is a Prerequisite where automation
to Scaling the Management of could be used to limit
operational security
Short-lived Certificates risk must be explicitly
justified.”
Perhaps the biggest problem with using a hodgepodge of
solutions and processes is the inability to automate TLS certificate –NIST
lifecycle management. Given the sheer number of certificates that
organizations currently have, automation is essential to effectively
manage and secure them.
In 2020, NIST published “Special Publication 1800-16: Securing Web Transactions, TLS Server Certificate
Management (SP 1800-16),” the first framework that directly addresses specific security controls for TLS
keys and certificates used as machine identities. Volume SP 1800-16B, which provides best practices and
recommendations on how to develop policies for certificate management, stresses that automation should be
used as much as possible for the enrollment, installation, monitoring and replacement of certificates—and
any insistence on using manual methods where automation could be used to limit operational security risk
must be explicitly justified.
Solutions that are cobbled together lack the integration capabilities that would enable enterprises to
automate the bulk of actions required for enterprise-wide certificate management. Without a comprehensive
management strategy in place, problems will place organizations at an even greater risk than they are today.
www.cyberark.com
�WHITE PAPE R
Conclusion: Automate 5 Immediate Actions to Brace for the
Shift to Shorter Certificate Lifespans
Certificates Now to Automation empowers you to seize control of your
Prepare for the Future renewals and ensure no certificate is neglected,
sparing you unnecessary pain and toil. Here are
5 ways automation can simplify your current
Given the exponential growth of machines and their operations and future-proof your TLS certificate
lifecycle management.
shortening lifespans, IT and security teams are
discovering that the current tools and strategies in 1. Implement continuous discovery and inventory
Create and maintain a complete inventory of
use are no match for managing millions of certificates,
your TLS certificates, including who owns each
particularly in hybrid and multi-cloud environments. All certificate, where it is installed and when it
it takes is the compromise of one machine identity for expires. Once that is complete, continuously
dangerous threat actors to access an entire network— automate discovery to preserve the visibility
crucial to ensuring business continuity and best
and alarmingly, the networks of their customers and practice security.
partners. And these problems will get more intense as
certificate lifespans continue to shrink. 2. Automate renewal processes
By automating renewals, you’ll not only save
time—you’ll make sure your certificates stay up
A comprehensive certificate lifecycle management to date, avoiding downtime caused by expired
program must leverage automation to orchestrate certificates. It’s important to use a certificate
lifecycle management solution that allows you
the actions necessary to secure certificates
to automate with ACME, APIs, SDKs, agents
throughout their lifecycles. Particularly in cloud and more.
native architectures, machine identity management
3. Configure global policies and workflows
that provides visibility and intelligence into all To ensure your certificates use the most stringent
certificates—no matter how ephemeral—and the attributes, you must adopt global policies and
automation to ensure that certificates adhere to workflows. Automating these safeguards through
self-service prevents business units from going
corporate security policies and processes may
rogue with unauthorized or non-compliant
mean the difference between a successful digital certificates.
transformation initiative and one that upends an
4. Integrate with DevOps tools
organization and threatens their customers.
Make life simple for your developers by integrating
your certificate lifecycle management solution
Learn how we can help your organization automate your with their existing tools. Turnkey, API-driven
certificate management, no matter how many you have. integrations enable automated provisioning
of certificates in continuous deployment
environments, ensuring strict adherence to the
validity periods for certificates used in both new
and existing applications.
5. Set up real-time monitoring and reporting
By setting up continuous monitoring and reporting,
you can ensure all certificates comply with the new,
shortened lifespans and organizational policies.
Regular, real-time audits help identify and rectify
deviations, reducing the risk of security breaches or
non-compliance penalties.
©2024 CyberArk Software. All rights reserved. No portion of this publication may be reproduced in any form or by any means without the express written consent of CyberArk
Software. CyberArk®, the CyberArk logo and other trade or service names appearing above are registered trademarks (or trademarks) of CyberArk Software in the U.S. and
other jurisdictions. Any other trade and service names are the property of their respective owners. CyberArk believes the information in this document is accurate as of its
publication date. The information is provided without any express, statutory, or implied warranties and is subject to change without notice. | U.S., 12.24
www.cyberark.com
